Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification for both 9001 and 27001

    1- What are the common activities / interview meetings / deliverables?

    After getting support for your project (through approval of the ISMS-QMS project plan) and approval of the Procedure for Document and Record Control, these are the common steps and deliverables:

      1) defining ISMS-QMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;

      2) performing people training and awareness;

      3) performance monitoring and measurement;

      4) performing internal audit;

      5) performing management critical review; and

      6) addressing nonconformities, corrective actions, and opportunities for improvement.

    The definition and execution of the information security risk management process are specific to ISO 27001, while the planning and realization of products and services are specific to ISO 9001.

    For further information, see how to implement integrated management systems.

    2 - Can a department interview approach be taken?

    I'm assuming your question refers to the standard's implementation.

    Considering that, a department interview approach is possible, but you need to remember the ISO management standards are process-based, so in a department interview it will be easier for the project to also consider the processes performed by the department.

    3 - Is the risk assessment and treatment plan common to both standards or only specific to 27001?

    Please note that risk assessment for each standard has different purposes and different assessment criteria, so at the moment we do not see a practical way to combine risk assessment according to ISO 27001 and ISO 9001 in a single plan. It is better to do a separate risk assessment for ISMS and for QMS.

    4 - How does the certification audit work in this case?

    In this case, you need to contact your certification body to explain you wish to go for an integrated certification audit. The details on how this certification audit will be performed need to be aligned with the certification body.

    5 - What does it take to undertake both projects at the same time ( in terms of additional time and resources)?

    Since these standards have some requirements in common, you can save approximately 30% of time and resources during the implementation.

    6 - Do you recommend to work on both 9001 and 27001 certification at the same time?

    Implementing both standards at the same time is recommended when you have:

    • a customer demand or legal requirements to fulfill
    • additional resources to allocate in the implementation

    If these are not you case, you can think about implementing one standard think the common requirements for both standards, and when you have more resources you may start implementing the remaining requirements.

  • Risk Management Requirements

    It is not clear whether you are referring to your own internal audits or accreditation body assessments.

    Any missing or noncompliant process or activity is a non-conformance (NC). Common examples are incomplete method validations or lack of recorded personnel competency.
    ISO 17025 does not require a classification as major or minor. The impact must be assessed by the responsible persons on a risk basis.
    Typically however, a Major NC would be a missing or deviant critical requirement, i.e. systemic problem  (e.g. no Management review performed, ineffective or incomplete audit programme, or absence of critical environmental monitoring) whereas a Minor NC would be a missing activity, such as mandatory environmental monitoring record not completed for a day. If not evaluated and addressed minor NC could become a major risk.

    For more information on ISO 17025 requirements, have a look at 

  • Risk assessment: multiple vulnerabilities for the same threat

    In this case, you include one row for each control used to treat the same risk. For example, if you want to use 3 controls to treat the same risk, then you will have three rows with the same risk and one for each control.

    This way, you will have a better notion of how each control impacts the risk (some controls may impact only likelihood or only impact), and you can evaluate if all controls are really necessary (i.e. if you are not including excessive controls).

  • Calibrating laboratories

    ISO 17025 is applicable for testing and Calibration laboratories. ISO 17025 has clear Reporting Result requirements in clause 7.8 and specifically for calibration reports in clause 7.8.4 Specific requirements for calibration certificates.

    Depending on your activities, certain ISO 17025 requirements will not be relevant, for example, Sampling (clause 7.3); whereas others will need more detail, for example, evaluation of Measurement uncertainty (clause 7.6). Measurement uncertainty must be evaluated for all calibrations and reports. The accreditation body requirements are typically documented, with reference to ILAC (The International Laboratory Accreditation Cooperation) policies and guidelines.

    See too, Appendix A3 Demonstrating metrological traceability, where Calibration and measurement capabilities are addressed for calibration laboratories. The Scope must be defined clearly, according to the accreditation body programs.

    Furthermore, careful consideration of decision rules must be made as typically for calibration, a statement of conformity to a specification or standard for the calibration (e.g. pass/fail, in-tolerance/out-of-tolerance), is made. For more information refer to https://ilac.org/publications-and-resources/ and become familiar with ILAC G8:09/2019 Guidelines on Decision Rules and Statements of Conformity and ILAC P14:09/2020 ILAC Policy for Measurement Uncertainty in Calibration.

    Have a look too, at https://advisera.com/iso-17025/, for more information on /iso 17025 requirements.

  • ITP and Welding Inquiry

    We do not have inspection test plans for fabrication and welding. Laboratories that test materials are accredited to ISO 17025 while inspection bodies are to the ISO 17020 standard. ISO 17025 assessment checks are applicable for testing activities, not inspection. It is ISO 17020 that covers the activities of inspection bodies. The test plans of course would cover requirements and standards specific to the welding and fabrication industry. The inspectors in most cases, would also require personal certification, to provide competence assurance. I suggest you contact your professional association / regulatory body for further information.

  • Prioritizing implementation of ISO 9001 over ISO 17025 in laboratory

    ISO 17025 is the applicable standard for a testing or calibration laboratory to claim technical competency for methods on their scope of work. That said, as ISO 17025 is often a voluntarily adopted standard; if it is not a mandatory requirement for a laboratory, they could start with ISO 9001 implementation and achieve ISO 9001 certification whilst implementing the technical aspects of ISO 17025. Once they are working in accordance with ISO 17025, the laboratory can apply for accreditation, if that is a quality objective.

    For more information on ISO 17025 refer to Advisera ISO 17025 – Where to Start?

  • Conformio roles

    Please note that at any moment using Conformio you can click in the “Company setting” option in the left panel of your screen and access the link to “Job titles” to find a set of suggested roles to be included in your ISMS according to your needs (Company main executive, Information technology, Information security, Finance, Compliance, Marketing, Legal, Human resources, Office management, and Procurement).

    For small companies, you should define at least the Company's main executive and Information security roles. For bigger companies, the roles to be selected will depend on the defined scope. In the case of a bigger company where all company is included in the Information Security scope, maybe you should use all roles. 

    An intermediary approach should consider the roles of the Company's main executive, Information technology, Information security, Finance, and Human resources, because they in general cover the most part of the scope. E.g., the HR roles can be responsible for employee’s training and awareness, Finance can be responsible for evaluating and approving security expenses.

  • Help with certification

    From our experience, some companies decide to host files on a server managed by the department that is included in the ISMS scope, but that in most cases companies use cloud services like Google Drive, Dropbox or SharePoint.

    For further discussion, you can schedule a meeting with one of our experts.

  • Register of Requirements and scope

    To identify in the register of requirements module which requirements would be applicable to the cloud service host, in the field “To what area is this requirement related?” you need to select the option “Managing security with suppliers and partners”. Additionally, you can write this information in the description field, together with the description of the requirement.

    This way, it would be clear that the requirement is applicable to the cloud host.

    Please note that when you define that something is in the scope, you can only “let it for later” if you accept all risks related to that element in the scope.

  • Controls in the SoA that so not show up in the Risk Assessment

    You can consider a control applicable in the SoA even if it is not related to the results of risk assessment and treatment if:

    • it is required because a legal requirement (e.g., law, regulation, or contract) demands its implementation
    • it is required by top management as a good practice
Page 14-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +